How to Set Up an MCP Server Proxy for Production AI Agents

The Model Context Protocol defines how AI agents discover and call tools on remote servers. During development, you connect directly: agent talks to MCP server on localhost, everything works. But the moment you deploy that server for a team of agents or expose it to the internet, direct connections break down.

Three problems surface immediately:

• TLS termination. MCP servers built with frameworks like FastMCP typically serve plain HTTP. Agents connecting over the internet need encrypted connections, and managing certificates inside your MCP server code adds complexity you don't want.
• Authentication at the edge. You need to verify that incoming requests carry valid tokens before they reach your MCP server process. Handling auth inside the server ties your business logic to your security layer.
• Connection management. MCP's Streamable HTTP transport uses long-lived connections. Without proper timeout configuration, standard web proxies will kill sessions mid-conversation.

A reverse proxy solves all three. Nginx or Caddy sits in front of your MCP server, handles TLS and auth, and forwards clean requests to your application. The MCP server stays focused on tool execution.

Both Nginx and Caddy work well as MCP server proxies, but they make different tradeoffs.

Nginx gives you granular control over every connection parameter. You can tune buffer sizes, upstream keepalive pools, and rate limits with precision. If you already run Nginx in your infrastructure, adding an MCP upstream is straightforward. The downside is certificate management. You will need certbot or another ACME client running alongside Nginx to handle TLS certificates.

Caddy handles TLS automatically. Point it at a domain, and it provisions certificates from Let's Encrypt without additional tooling. The configuration syntax is shorter and more readable. For teams deploying their first MCP proxy, Caddy gets you to production faster.

For MCP servers specifically, the critical difference is streaming support. Both handle it, but the configuration looks different. Nginx requires explicit directives to disable buffering and extend timeouts. Caddy's defaults are closer to what MCP needs out of the box.

If you need fine-grained traffic shaping or already have Nginx infrastructure, use Nginx. If you want the shortest path to a secure, working proxy, use Caddy.

MCP connections are long-lived, which means the default Nginx configuration will break them. Standard timeouts kill idle connections after 60 seconds, and response buffering interferes with Server-Sent Events streams. Here is a working Nginx configuration for proxying an MCP server:

upstream mcp_backend {
    server 127.0.0.1:8000;
    keepalive 32;
}

server {
    listen 443 ssl;
    server_name mcp.example.com;

ssl_certificate /etc/letsencrypt/live/mcp.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mcp.example.com/privkey.pem;

location /mcp {
        proxy_pass http://mcp_backend;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

proxy_buffering off;
        proxy_cache off;
        chunked_transfer_encoding off;

proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }

location /sse {
        proxy_pass http://mcp_backend;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

proxy_buffering off;
        proxy_cache off;
        chunked_transfer_encoding off;

proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
}

The key directives:

• proxy_http_version 1.1 with an empty Connection header enables HTTP/1.1 keepalive to the upstream, which MCP's persistent connections require.
• proxy_buffering off and proxy_cache off ensure SSE events reach the agent immediately instead of being batched by Nginx.
• proxy_read_timeout 86400s gives connections a 24-hour window. MCP sessions can run for hours during complex agent workflows, and you don't want Nginx closing them prematurely.
• keepalive 32 in the upstream block maintains a pool of persistent connections to your MCP server, reducing connection overhead when multiple agents connect simultaneously.

Skip the proxy setup and connect agents directly

Fast.io's MCP server handles TLS, authentication, and multi-tenant isolation out of the box. 50GB free storage, no credit card required.

Sign Up Free

Caddy's configuration for the same setup is shorter because it handles TLS automatically and its defaults align better with streaming workloads:

mcp.example.com {
    handle /mcp* {
        reverse_proxy localhost:8000 {
            flush_interval -1
            transport http {
                keepalive 30s
                keepalive_idle_conns 32
            }
        }
    }

handle /sse* {
        reverse_proxy localhost:8000 {
            flush_interval -1
            transport http {
                keepalive 30s
                keepalive_idle_conns 32
            }
        }
    }
}

The flush_interval -1 directive tells Caddy to flush response bytes immediately without buffering, which is essential for SSE transport. Caddy provisions TLS certificates from Let's Encrypt automatically when you point a domain at it, so there is no separate certbot step.

For development or internal deployments where you don't need public TLS, Caddy can also proxy on a local port:

:8443 {
    reverse_proxy localhost:8000 {
        flush_interval -1
    }
}

This gives you a clean proxy layer without certificate management overhead.

A single MCP server can serve multiple agents when you put a proxy in front of it. The proxy handles routing, rate limiting, and tenant isolation while the MCP server processes tool calls.

API key authentication at the proxy is the simplest multi-tenant pattern. Each agent gets a unique API key. The proxy validates the key before forwarding the request:

map $http_x_api_key $valid_key {
    "agent-key-alpha" 1;
    "agent-key-beta"  1;
    default           0;
}

server {
    location /mcp {
        if ($valid_key = 0) {
            return 401;
        }
        proxy_pass http://mcp_backend;
        proxy_set_header X-Agent-ID $http_x_api_key;
    }
}

For more sophisticated setups, MCP gateway tools like Portkey, Gravitee, and the open-source MCP Gateway Registry project provide OAuth 2.0 token validation, role-based access control, and per-agent rate limiting out of the box. These sit in the same position as Nginx or Caddy but add MCP-aware routing logic.

Connection pooling matters at scale. Without a proxy, each agent opens its own connection to the MCP server. With the keepalive pool in your proxy configuration, agents share a smaller set of persistent upstream connections. This is where the "10x more agents per server instance" improvement comes from: the MCP server handles fewer TCP handshakes and maintains less connection state.

If you need full tenant isolation rather than shared-server multi-tenancy, consider running separate MCP server processes per tenant and using the proxy for routing based on the agent's identity header.

You don't always need to configure Nginx or Caddy from scratch. Several purpose-built MCP proxy tools handle the transport bridging for you.

mcp-proxy (npm) is a TypeScript proxy that converts stdio-based MCP servers into Streamable HTTP and SSE endpoints. If your MCP server only supports stdio transport, this tool wraps it with an HTTP layer:

npx mcp-proxy --port 8080 --apiKey "your-secret" -- npx -y @anthropic/mcp-server-filesystem /data

This command starts an HTTP proxy on port 8080 with API key authentication, forwarding requests to the filesystem MCP server. The proxy exposes both /mcp (Streamable HTTP) and /sse (legacy SSE) endpoints. You can then put Nginx or Caddy in front of this for TLS termination.

mcp-proxy-server (by adamwattis on GitHub) aggregates multiple MCP servers behind a single interface. Instead of configuring each agent to connect to five different MCP servers, agents connect to one proxy that routes tool calls to the right backend. This simplifies agent configuration and gives you a single point for logging and access control.

Plugged.in MCP Proxy takes this further with a web UI for managing connected servers, enabling or disabling individual tools, and monitoring traffic across all your MCP servers from one dashboard.

For managed MCP services like Fast.io's MCP server, the proxy layer is already handled. Fast.io exposes Streamable HTTP at /mcp and legacy SSE at /sse, with built-in authentication and multi-tenant workspace isolation. Agents authenticate with API keys or OAuth, and each workspace acts as an isolated tenant with its own files, permissions, and audit trail. No reverse proxy configuration needed on your end.

A proxy gives you a single point to enforce security policies. Here are the configurations that matter most for MCP deployments.

Rate limiting prevents runaway agents from overwhelming your MCP server. In Nginx:

limit_req_zone $http_x_api_key zone=mcp_limit:10m rate=30r/m;

location /mcp {
    limit_req zone=mcp_limit burst=10 nodelay;
    proxy_pass http://mcp_backend;
}

This limits each agent to 30 requests per minute with a burst allowance of 10, which is reasonable for most tool-calling patterns.

Access logging captures every tool call for audit purposes. Configure structured JSON logs that include the agent identity, timestamp, and response status:

log_format mcp_json escape=json
    '{"time":"$time_iso8601",'
    '"agent":"$http_x_api_key",'
    '"method":"$request_method",'
    '"path":"$uri",'
    '"status":$status,'
    '"duration":$request_time}';

access_log /var/log/nginx/mcp_access.json mcp_json;

Health checks catch MCP server failures before agents hit them. Add an upstream health check that verifies the MCP server is responding:

upstream mcp_backend {
    server 127.0.0.1:8000;
    keepalive 32;
}

Pair this with a monitoring tool that hits a health endpoint on your MCP server and alerts when it goes down.

For teams that need audit trails without building logging infrastructure, managed platforms like Fast.io provide built-in event tracking and activity summaries across all agent interactions. Every file operation, workspace change, and AI query is logged with timestamps and agent identity, exportable for compliance review.